The Costs and Risks of Account Takeover

Let's start by defining ATO. Account takeover is a form of online identity theft in which a cybercriminal illegally gains access to a victim's account, such as a bank account or e-commerce account. The victims account will be of value to the hacker because it either holds funds or access to products, services or other stored value of some kind; as is the case with loyalty accounts for specific companies. Once the cybercriminal has gained access to the account, they will drain funds, use loyalty points, or use the credit and debit card information to commit an act of online fraud.

Cybercriminals will use various techniques to gain illegal access to the victim's account, the most common of which are credential stuffing and credential cracking. Credential stuffing is an automated web injection attack where hackers use credential information sourced from data breaches to gain access to the victim's other accounts. Credential cracking is another term for a brute force attack in which hackers will use dictionary lists or common usernames and passwords to guess their way into an account.

ATO Risks by The Numbers

While cyber fraudsters traditionally targeted bank accounts, they are broadening their scope to target a range of online accounts such as e-commerce accounts, social media accounts, shop loyalty schemes, cryptocurrency wallets, and email accounts.

ATO attacks are a major threat to online consumers and the reputation of companies whose consumers suffer from them. To understand why cybercriminals are increasing their efforts on account takeovers, you only have to look at how lucrative they are.

A 2018 NuData Security report found that 40% of all account access attempts online are high risk, meaning they are targeting access to financial data or something of value

From 2016 to 2017, losses from Account Takeover rose 122%. In 2018, it increased by 164%

The cost of these attacks tripled from 2016 to 2017, reaching an estimated $5.1 billion in the United States alone

According to Juniper Research, losses from fraudulent online transactions are expected to reach $25.6 billion by 2020

Cybercriminals Exploring New ATO Horizons

While cyber fraudsters traditionally targeted bank accounts, they are broadening their scope to target a range of online accounts such as e-commerce accounts, social media accounts, shop loyalty schemes, cryptocurrency wallets, and email accounts.

The e-commerce industry is growing at a rapid rate as online retailers tap into new markets in Asia and South America, and consumers enjoy the convenience of online shopping. According to German online statistics portal, Statista, e-commerce revenue in India is expected to grow to 62.3 billion U.S. Dollars in 2023, and more than double its current volume by 2022. When an online market grows, the attention cybercriminals put into exploiting it also grows. Large retail companies like Walmart and Amazon are also attempting to tap into the growing e-commerce markets in India, South Korea, Turkey, and Brazil and capture a new consumer base. In May 2018 Walmart acquired a 77% stake in Flipkart, India's largest online retailer, for $16 billion following two years of talks with the company.

These new consumers represent a lucrative new market for cybercriminals and it is not just the influx of newcomers that is fueling cybercriminals but also changes in consumer behavior. More consumers are turning to alternative payment methods such as Venmo, Zelle, and PayPal shifting the focus away from bank accounts as the sole way of paying for things online. Retailers are also expanding how consumers can pay for their products by allowing purchases through mobile payment apps. Losses from ATO and fraud cost businesses across all industries, and all across the world, billions of dollars per year.

Another way cybercriminals are expanding the threat is by the device. Mobile and mobile apps are becoming a prime target for account takeover. In Rippleshot's State of Card Fraud 2018 report they predicted that mobile phones would become an increasingly vulnerable target and the latest research appears to indicate the same. Javelin's 2019 Identity Fraud Study also indicated that mobile phone account takeovers are on the rise, accounting for 679,000 incidents in 2018, up around 45% from 2017. One of the reasons for this increase in mobile is technology lag. While there is an increase in tools designed to protect users through a web browser, many of those same tools do not work on mobile apps.

Largest ATO Risk: Exposed Passwords

Having more online accounts means having more usernames and passwords to remember which will encourage some consumers to repeat their credentials across different accounts. This is highly risky but surprisingly common. According to darkreading.com 59% of survey respondents said they reuse passwords despite 91% of them saying they understand the risks associated. The main reason cited for reusing passwords was fear of forgetfulness.

As the results from the darkreading.com survey show, users will reuse passwords even understanding the risk, but why? Most likely because they haven't been stung by this practice since they haven't noticed their accounts have been compromised. However, they probably have been stung by their own forgetfulness which can be an inconvenience when they have to reset their login details. This leads users to weigh the risks and they often decide it's easier to reuse passwords despite the cost being so high if their credentials are exposed.

What can be done about ATO Risks?

Concerned users can use websites like https://www.avast.com/hackcheck/ to see if your password has been leaked online. The Avast website will tell you what company the data breach was associated with and offer advice on next steps. When it comes to passwords, they recommend that if your password has appeared on a list of exposed credentials, you should change your password on any accounts you have used it and cease using that password. Taking action can greatly reduce the risk of you falling victim to a credential stuffing attack.

Password screening is the process of testing the strength of your password. Many cybersecurity companies offer this service, for example, https://check.enzoic.com/ to check if their passwords are weak. Sites like this can also tell you how long it would take to crack your password in a brute force attack. If your password can be cracked in a matter of hours by a brute force attack then you should strongly consider changing your password immediately. A lot of online tools will now tell you how strong your password is (usually using a scale of easy to hard) and suggest ways to improve the strength, but password screening services go a step further for businesses, non-profits, and government agencies.

Credential Screening

For businesses, non-profits and government agencies, the stakes are a lot higher. They could have thousands of user accounts vulnerable to account takeover and fraud due to the password reuse issue listed above.

Credential screening for online accounts can help prevent account takeover. Credential screening is the process of seamlessly screening usernames and passwords to identify if they have been compromised. These systems compare users' credentials to large databases of leaked credentials in order to find a match and alert the user to their exposed credentials. This adds a strong layer of security to users' accounts and also highlights the risk in password reuse. The check is performed at login, password reset or account set up.

Unlike other authentication tools, credential screening only impacts the users who have exposed credentials, the rest of your users are completely unencumbered. This solution can also be used on all devices, not just websites. Any place where an organization collects a user name and password combination, a credential screening solution can be added. For more information about compromised credential screening, visit www.enzoic.com.

About the Author

Greene currently serves as CEO and General Manager of Enzoic (formerly PasswordPing), a cyber-security company that screens logins for compromised credentials to prevent account takeover and fraud. He is a growth-oriented CEO and General Manager with extensive experience across the organization from product and operations to sales and marketing - in a variety of international high growth companies. Prior to Enzoic, he was the CEO of ID Watchdog, an identity theft protection company that was sold to Equifax in 2017. Before IDWatchdog, Greene held senior management positions at Symantec, Webroot, Thompson Micromedix, Raindance and Baxter.